【文章內(nèi)容簡介】 Cons: Unknown devices may never authenticate, but still could have work access。 may not check all IP devices Inline security appliance/switch ? Pros: Sees all devices both managed and unmanaged and doesn’t require agent based software ? Cons: If it is not inline with, or does not replace the access switch then it will not see the device as it es on the work Out of band appliances with work awareness ? Pros: Sees all devices as they enter the work both managed and unmanaged。 easier to implement than many of the other approaches ? Cons: May require switch integration for mitigation of problems 19 CONFIDENTIAL Assess Assess Endpoint Integrity Question: Even if a device is allowed on my work, how do I ensure it meets my security policies and risk tolerance? Answer: Endpoint integrity checks ? Operating system identification and validation checks ? Typically requires an agent ? Must establish a policy relating to acceptable patch level (latest patch on pany SMS server, no older than X months, most recent patch available from software vendor) ? What do you do for unknown devices? Usually requires an agent for these checks ? Security software checks AV, personal firewall, spyware, etc. ? Is it up and running ? Is it in the right configuration ? Is it up to date both the software and the database ? Usually requires an agent for these checks 21 CONFIDENTIAL Assess Endpoint Integrity cont. Endpoint integrity checks cont. ? Endpoint configuration find unauthorized servers and services ? Web servers, FTP servers, mail servers, etc. ? Vulnerable or high risk ports, . port 445 exploited by Zotob ? These checks can be done from the work or with an agent ? Threat detection ? Scan the device for active infections or backdoors ? Not monly implemented on entry to the work – Too much latency – Risk profile substituted for deep scans (. AV is up to date and had a current scan) Elements for endpoint integrity checks ? Network scanning server (Optional) ? Endpoint software permanent or transient (Optional) ? Policy server (Required) must have somewhere to define what is allowed/disallowed 22 CONFIDENTIAL Monitor Monitoring Post Network Entry The fotten element of Network Access Control ? Why is monitoring a critical element of NAC? ? Can’t effectively check for all threats on entry takes too long ? Security policy state can change post entry users initiate FTP after access is granted ? Infection can occur post entry and web threats can change security state of the device ? What Gartner says in their paper “Protect Your Resources With a Network Access Control Process” ? “The work traffic and security state of systems that are connected to the work must be monitored for anomalous behavior or system changes that bring them out of pliance with security policies.” Why isn’t this simply another work security function? ? Monitoring is both for threats and policy adherence takes advantage of policy definition of NAC solution ? Works hand in hand with NAC quarantine services 24 CONFIDENTIAL Traditional Approach to Network Security Traditional Approach ? Firewall/IPS at the Perimeter ? AV, HIDS/HIPS on the Endpoint This approach leaves a soft underbelly through which unmanaged, outofpolicy and infected endpoints can easily gain access. External Environment ? New technologies ? New threats ? Regulatory requirements 25 CONFIDENTIAL Exploiting the Network’s Weakness Infected endpoints bypass the perimeter… …generating rapidly propagating threats that take over a work in minutes… …bringing business to a halt and creating costly cleanup. 26 CONFIDENTIAL Monitoring Approaches Agent based approaches ? Host Intrusion Prevention Systems ? Personal firewalls ? Both require integration with a work policy server to be an element of NAC ? Doesn’t cover unknown/unmanaged/unmanageable devices Network based approaches ? Inline: Typically evolution of IPS vendors into NAC capabilities。 also includes Network Based Anomaly Detection (NBAD) vendors ? Outofband: Most monly NBAD and old Distributed Denial of Service (DDoS) security vendors Key considerat